Month of Facebook flaws gets underway

A security researcher has vowed to reveal technical details of a series of cross-site scripting vulnerabilities involving Facebook applications during September.

theharmonyguy plans to give developers 24 hours' advance notice about flaws involving their web applications before exposing them publicly. The project takes its cue from July's Month of Twitter Bug project, during which security researcher Aviv Raff applied a similar idea to the disclosure of security flaws involving Twitter and associated services.

The "Month of..." theme for security disclosures was originally pioneered by HD Moore, of Metasploit fame, with a four week fiesta that brought new browser bugs every day back in 2006.

The month of bugs began by outlining patched flaws involving FunSpace, SuperPoke! and other applications. On Tuesday it revealed a previously unpatched flaw in an application called FarmVille. Developer Zynga acted promptly to close the hole.

A flaw in the Causes application, disclosed on Wednesday, has also been fixed. Both applications were capable of lending themselves to clickjacking. Clickjacking-style vulnerabilities creates a means for miscreants to trick prospective marks into unknowingly clicking on a link or dialogue and as such can become the fodder of XSS worms, in at least some cases.

theharmonyguy, who has made a good start with five vulnerabilities in the bag, is inviting submissions from other security researchers, who will get the credit for flaws they find.

Even with outside help it might be difficult to release a new flaw every day this month, something that is much easier when considering the wider field of browser security. Rest days in the cycle could perhaps be usefully plugged with information on rogue Facebook apps.

Rik Ferguson, a security researcher at Trend Micro, found at least 11 examples of such applications two weeks ago, as detailed in his blog here. Most of the rogue apps try to trick users into handing over their login credentials.

The fact that many use the same password and username on multiple websites means that hackers armed with Facebook login details might be able to hijack webmail accounts, in turn allowing them to attack more sensitive online banking facilities or PayPal accounts. ®